Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Discoverability by phone number/email restriction bypass
Vladimir Volfovich ZhirinovskyPosted 4 Years Ago- Twitter has a setting to make it impossible to find people by phone number or email. This is a privacy feature meant to prevent mass scrapping or targeted attacks.
- While trying to create a new user on the Android client, there is an account duplication check for both emails and phone numbers. If the email or phone number is duplicated, then the
idof the user is returned. Since the id is public and can be directly correlated to a handle (@dooflin), this becomes a problem. - An attacker could guess a bunch of emails or phone number to correlate them with user accounts. Not only does this bypass the privacy setting but this is an unauthenticated endpoint which could be used for anonymous scrapping of data. In particular, a database of phone or email to username connections.
- This bug was really interesting to me since it bypassed the security feature entirely. This feels like a sidedoor of a building; the information is usable here but no one considered it. Secondly, enumeration bugs are common on these types of endpoints but it is odd that the id of the current user was returned. Overall, great find!
